tags:

views:

3827

answers:

5

Which of them are preferred in which circumstances?

I'd like to see the list of evaluation crtieria for the various modes, and maybe a discussion of the applicability of each criterion.

For example, I think one of the criteria is "size of the code" for encryption and decryption, which is important for micro-code embedded systems, like 802.11 network adapters. IF the code required to implement CBC is much smaller than that required for CTR (I don't know this is true, it's just an example), then I could understand why the mode with the smaller code would be preferred. But if I am writing an app that runs on a server, and the AES library I am using implements both CBC and CTR anyway, then this criterion is irrelevant.

See what I mean by "list of evaluation criteria and applicability of each criterion" ??

This isn't really programming related but it is algorithm related.

+3  A: 

Have you start by reading the information on this on Wikipedia - Block cipher modes of operation? Then follow the reference link on Wikipedia to NIST: Recommendation for Block Cipher Modes of Operation.

KTC
+5  A: 
  1. Anything but ECB.
  2. If using CTR, it is imperative that you use a different IV for each message, otherwise you end up with the attacker being able to take two ciphertexts and deriving a combined unencrypted plaintext. The reason is that CTR mode essentially turns a block cipher into a stream cipher, and the first rule of stream ciphers is to never use the same Key+IV twice.
  3. There really isn't much difference in how difficult the modes are to implement. Some modes only require the block cipher to operate in the encrypting direction. However, most block ciphers, including AES, don't take much more code to implement decryption.
  4. For all cipher modes, it is important to use different IVs for each message if your messages could be identical in the first several bytes, and you don't want an attacker knowing this.
Theran
To support your Point 1 (+1 for that btw): http://www.codinghorror.com/blog/archives/001267.html
Michael Stum
You shouldn't start CTR with a random number, since that has a small-but-increasing chance of colliding with part of a previous message. Instead monotonically increment it (this may mean remembering where you are up to in persistent storage), and re-key if (when) you run out of counter.
caf
@Theran - point 2 - a different random number for each message? No, I think that is not correct. I am under the impression that starting the counter always at zero is just fine. @caf, I think when Theran says "message" he does not mean "block". Of course the counter gets incremented for each block of a particular message that run through the cipher. What Theran seems to be saying is that each message must start with a different initial value for the counter. And I think this is not correct.
Cheeso
re: point 3 - I have read papers that say, for example, CTR mode is smaller to implement because the decrypt is the same transform as encrypt. Therefore half the code. But as I say, not relevant on a server-class machine.
Cheeso
Yes, I misspoke. It's the IV/nonce that should change for CTR mode, but that gets combined with the counter before encrypting, so I tend to just think of it as a random starting point for the counter. As far as only having to use the cipher in the encrypting direction saving space, for many ciphers you only have to reverse the subkeys to decrypt. AES is a bit bulky for decrypting, but it's not like you can implement it on a uC with 128 bytes of RAM anyways. The subkeys take more RAM than that!
Theran
A: 

I know one aspect: Although CBC gives better security by changing the IV for each block, it's not applicable to randomly accessed encrypted content (like an encrypted hard disk).

So, use CBC (and the other sequential modes) for sequential streams and ECB for random access.

chris166
Ah, right, of course. The CBC XORs the prior ciphertext block with the plaintext block before encryption. The first block uses the IV. So to decrypt any block, you have to have successfully decrypted all prior blocks. ok, that's a good insight.
Cheeso
No, you only have to have access to the prior _ciphertext_, which doesn't require decrypting any previous blocks.
caf
Ah, well that means CBC is just fine with random access, doesn't it?
Cheeso
+10  A: 
  • ECB should not be used if encrypting more than one block of data with the same key.

  • CBC, OFB and CFB are identical, however OFB/CFB is better because you only need encryption and not decryption, which can save code space.

  • CTR is used if you want good parallelization (ie. speed), instead of CBC/OFB/CFB.

  • XTS mode is the most common if you are encoding a random accessible data (like a hard disk or RAM).

  • OCB is by far the best mode, as it allows encryption and authentication in a single pass. However there are patents on it in USA.

The only thing you really have to know is that ECB is not to be used unless you are only encrypting 1 block. XTS should be used if you are encrypting randomly accessed data and not a stream.

  • You should ALWAYS use unique IV's every time you encrypt, and they should be random. If you cannot guarantee they are random, use OCB as it only requires a nonce, not an IV, and there is a distinct difference. A nonce does not drop security if people can guess the next one, an IV can cause this program.
myforwik
Why is CTR more amenable to parallization?
Cheeso
[CBC, OFB and CFB](http://en.wikipedia.org/wiki/Cipher_modes) are far from identical.
Jonathan Leffler
CTR is amenable to parallelization because you can split the message into chunks, each chunk having a range of counter values associated with it, and encrypt (or decrypt) each chunk independently. By contrast, CFB relies on the output from the previous block as one of the inputs to the next, so it is rigorously sequential and inherently non-parallelizable. Similar for the other modes mentioned.
Jonathan Leffler
A: 

Well, could you tell me the difference between AES-CBC and AES-CTR. WHich one is best for encryption and decryption for confidentiality, integrity and authenticaiton (CIA)?

kindly, zohirul

zahid
Seems like this ought to be a new question.
Cheeso